Blame SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch

973b04
From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
973b04
From: Watson Sato <wsato@redhat.com>
973b04
Date: Mon, 25 May 2020 14:33:06 +0200
973b04
Subject: [PATCH 1/5] Add zIPL bootloader group
973b04
973b04
---
973b04
 linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
973b04
 1 file changed, 11 insertions(+)
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml
973b04
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
973b04
new file mode 100644
973b04
index 0000000000..36da84530c
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
973b04
@@ -0,0 +1,11 @@
973b04
+documentation_complete: true
973b04
+
973b04
+title: 'zIPL bootloader configuration'
973b04
+
973b04
+description: |-
973b04
+    During the boot process, the bootloader is
973b04
+    responsible for starting the execution of the kernel and passing
973b04
+    options to it.
973b04
+    The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
973b04
+
973b04
+platform: machine
973b04
973b04
From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
973b04
From: Watson Sato <wsato@redhat.com>
973b04
Date: Mon, 25 May 2020 15:26:19 +0200
973b04
Subject: [PATCH 2/5] Add zIPL rule for early audit capability
973b04
973b04
---
973b04
 .../zipl_audit_argument/rule.yml              | 40 +++++++++++++++++++
973b04
 1 file changed, 40 insertions(+)
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
973b04
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..ce2bd60c59
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
973b04
@@ -0,0 +1,40 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To ensure all processes can be audited, even those which start prior to the audit daemon,
973b04
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+    To ensure that new kernels and boot entries continue to enable audit,
973b04
+    add 
audit=1
to <tt>/etc/kernel/cmdline</tt>.
973b04
+
973b04
+rationale: |-
973b04
+    Each process on the system carries an "auditable" flag which indicates whether
973b04
+    its activities can be audited. Although <tt>auditd</tt> takes care of enabling
973b04
+    this for all processes which launch after it does, adding the kernel argument
973b04
+    ensures it is set for every process during boot.
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'auditing is not enabled at boot time'
973b04
+
973b04
+ocil: |-
973b04
+  To check that audit is enabled at boot time, check all boot entries with following command:
973b04
+  
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
973b04
+  No line should be returned, each line returned is a boot entry that doesn't enable audit.
973b04
+
973b04
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+  
grep -R "^image\s*=" /etc/zipl.conf
973b04
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+  and <tt>/etc/zipl.conf</tt>:
973b04
+  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
973b04
From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
973b04
From: Watson Sato <wsato@redhat.com>
973b04
Date: Tue, 26 May 2020 15:06:12 +0200
973b04
Subject: [PATCH 3/5] Add few more zIPL kernel option rules
973b04
973b04
Add rules for following options:
973b04
- audit_backlog_limit
973b04
- selinux
973b04
- audit_backlog_limit
973b04
- enable_selinux
973b04
- page_poison
973b04
- pti
973b04
- slub_debug
973b04
- vsyscall
973b04
---
973b04
 .../rule.yml                                  | 41 +++++++++++++++++++
973b04
 .../zipl_enable_selinux/rule.yml              | 37 +++++++++++++++++
973b04
 .../zipl_page_poison_argument/rule.yml        | 41 +++++++++++++++++++
973b04
 .../zipl_pti_argument/rule.yml                | 40 ++++++++++++++++++
973b04
 .../zipl_slub_debug_argument/rule.yml         | 41 +++++++++++++++++++
973b04
 .../zipl_vsyscall_argument/rule.yml           | 41 +++++++++++++++++++
973b04
 6 files changed, 241 insertions(+)
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
973b04
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..08c5b53207
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
973b04
@@ -0,0 +1,41 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
973b04
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+    To ensure that new kernels and boot entries continue to extend the audit log events queue,
973b04
+    add 
audit_backlog_limit=8192
to <tt>/etc/kernel/cmdline</tt>.
973b04
+
973b04
+rationale: |-
973b04
+    audit_backlog_limit sets the queue length for audit events awaiting transfer
973b04
+    to the audit daemon. Until the audit daemon is up and running, all log messages
973b04
+    are stored in this queue.  If the queue is overrun during boot process, the action
973b04
+    defined by audit failure flag is taken.
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'audit backlog limit is not configured'
973b04
+
973b04
+ocil: |-
973b04
+  To check that all boot entries extend the backlog limit;
973b04
+  Check that all boot entries extend the log events queue:
973b04
+  
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
973b04
+  No line should be returned, each line returned is a boot entry that does not extend the log events queue.
973b04
+
973b04
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+  
grep -R "^image\s*=" /etc/zipl.conf
973b04
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+  and <tt>/etc/zipl.conf</tt>:
973b04
+  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..e7a455b90c
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
973b04
@@ -0,0 +1,37 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Ensure SELinux Not Disabled in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To ensure SELinux is not disabled at boot time,
973b04
+    check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+rationale: |-
973b04
+    Disabling a major host protection feature, such as SELinux, at boot time prevents
973b04
+    it from confining system services at boot time.  Further, it increases
973b04
+    the chances that it will remain off during system operation.
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'SELinux is disabled at boot time'
973b04
+
973b04
+ocil: |-
973b04
+    To check that selinux is not disabled at boot time;
973b04
+    Check that no boot entry disables selinux:
973b04
+    
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
973b04
+    No line should be returned, each line returned is a boot entry that disables SELinux.
973b04
+
973b04
+    Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+    
grep -R "^image\s*=" /etc/zipl.conf
973b04
+    No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+    And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+    and <tt>/etc/zipl.conf</tt>:
973b04
+    
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+    No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..b8a2eecee6
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
973b04
@@ -0,0 +1,41 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Enable page allocator poisoning in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To enable poisoning of free pages,
973b04
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+    To ensure that new kernels and boot entries continue to enable page poisoning,
973b04
+    add 
page_poison=1
to <tt>/etc/kernel/cmdline</tt>.
973b04
+
973b04
+rationale: |-
973b04
+    Poisoning writes an arbitrary value to freed pages, so any modification or
973b04
+    reference to that page after being freed or before being initialized will be
973b04
+    detected and prevented.
973b04
+    This prevents many types of use-after-free vulnerabilities at little performance cost.
973b04
+    Also prevents leak of data and detection of corrupted memory.
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'page allocator poisoning is not enabled'
973b04
+
973b04
+ocil: |-
973b04
+  To check that page poisoning is enabled at boot time, check all boot entries with following command:
973b04
+  
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
973b04
+  No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
973b04
+
973b04
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+  
grep -R "^image\s*=" /etc/zipl.conf
973b04
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+  and <tt>/etc/zipl.conf</tt>:
973b04
+  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..4757871a5f
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
973b04
@@ -0,0 +1,40 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To enable Kernel page-table isolation,
973b04
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+    To ensure that new kernels and boot entries continue to enable page-table isolation,
973b04
+    add 
pti=on
to <tt>/etc/kernel/cmdline</tt>.
973b04
+
973b04
+rationale: |-
973b04
+    Kernel page-table isolation is a kernel feature that mitigates
973b04
+    the Meltdown security vulnerability and hardens the kernel
973b04
+    against attempts to bypass kernel address space layout
973b04
+    randomization (KASLR).
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'Kernel page-table isolation is not enabled'
973b04
+
973b04
+ocil: |-
973b04
+  To check that page-table isolation is enabled at boot time, check all boot entries with following command:
973b04
+  
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
973b04
+  No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
973b04
+
973b04
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+  
grep -R "^image\s*=" /etc/zipl.conf
973b04
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+  and <tt>/etc/zipl.conf</tt>:
973b04
+  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..166dd41afd
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
973b04
@@ -0,0 +1,41 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To enable poisoning of SLUB/SLAB objects,
973b04
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+    To ensure that new kernels and boot entries continue to extend the audit log events queue,
973b04
+    add 
slub_debug=P
to <tt>/etc/kernel/cmdline</tt>.
973b04
+
973b04
+rationale: |-
973b04
+    Poisoning writes an arbitrary value to freed objects, so any modification or
973b04
+    reference to that object after being freed or before being initialized will be
973b04
+    detected and prevented.
973b04
+    This prevents many types of use-after-free vulnerabilities at little performance cost.
973b04
+    Also prevents leak of data and detection of corrupted memory.
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
973b04
+
973b04
+ocil: |-
973b04
+  To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
973b04
+  
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
973b04
+  No line should be returned, each line returned is a boot entry that does not enable poisoning.
973b04
+
973b04
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+  
grep -R "^image\s*=" /etc/zipl.conf
973b04
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+  and <tt>/etc/zipl.conf</tt>:
973b04
+  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
new file mode 100644
973b04
index 0000000000..6b95d16fb8
973b04
--- /dev/null
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
@@ -0,0 +1,41 @@
973b04
+documentation_complete: true
973b04
+
973b04
+prodtype: rhel8
973b04
+
973b04
+title: 'Disable vsyscalls in zIPL'
973b04
+
973b04
+description: |-
973b04
+    To disable use of virtual syscalls,
973b04
+    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+
973b04
+    To ensure that new kernels and boot entries continue to disable virtual syscalls,
973b04
+    add 
vsyscall=none
to <tt>/etc/kernel/cmdline</tt>.
973b04
+
973b04
+rationale: |-
973b04
+    Poisoning writes an arbitrary value to freed pages, so any modification or
973b04
+    reference to that page after being freed or before being initialized will be
973b04
+    detected and prevented.
973b04
+    This prevents many types of use-after-free vulnerabilities at little performance cost.
973b04
+    Also prevents leak of data and detection of corrupted memory.
973b04
+
973b04
+severity: medium
973b04
+
973b04
+ocil_clause: 'vsyscalls are enabled'
973b04
+
973b04
+ocil: |-
973b04
+  To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
973b04
+  
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
973b04
+  No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
973b04
+
973b04
+  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
973b04
+  
grep -R "^image\s*=" /etc/zipl.conf
973b04
+  No line should be returned, if a line is returned zipl may load a different kernel than intended.
973b04
+
973b04
+  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
973b04
+  and <tt>/etc/zipl.conf</tt>:
973b04
+  
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
973b04
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
973b04
973b04
From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
973b04
From: Watson Sato <wsato@redhat.com>
973b04
Date: Tue, 2 Jun 2020 13:29:39 +0200
973b04
Subject: [PATCH 4/5] Fix formatting of zIPL rules
973b04
973b04
 is renderend in a separate line, while <tt> is rendered inline.
973b04
Add line breaks for better readability.
973b04
---
973b04
 .../bootloader-zipl/zipl_audit_argument/rule.yml       | 10 +++++-----
973b04
 .../zipl_audit_backlog_limit_argument/rule.yml         | 10 +++++-----
973b04
 .../bootloader-zipl/zipl_enable_selinux/rule.yml       |  8 ++++----
973b04
 .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
973b04
 .../system/bootloader-zipl/zipl_pti_argument/rule.yml  | 10 +++++-----
973b04
 .../bootloader-zipl/zipl_slub_debug_argument/rule.yml  | 10 +++++-----
973b04
 .../bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 10 +++++-----
973b04
 7 files changed, 34 insertions(+), 34 deletions(-)
973b04
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
973b04
index ce2bd60c59..16c0b3f89a 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
973b04
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
973b04
 description: |-
973b04
     To ensure all processes can be audited, even those which start prior to the audit daemon,
973b04
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.

973b04
 
973b04
     To ensure that new kernels and boot entries continue to enable audit,
973b04
-    add 
audit=1
to <tt>/etc/kernel/cmdline</tt>.
973b04
+    add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
     Each process on the system carries an "auditable" flag which indicates whether
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
973b04
index 08c5b53207..47a532d50f 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
973b04
@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
973b04
 description: |-
973b04
     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
973b04
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.

973b04
 
973b04
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
973b04
-    add 
audit_backlog_limit=8192
to <tt>/etc/kernel/cmdline</tt>.
973b04
+    add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
     audit_backlog_limit sets the queue length for audit events awaiting transfer
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
973b04
index e7a455b90c..5aa91c16aa 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
973b04
@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
973b04
 description: |-
973b04
     To ensure SELinux is not disabled at boot time,
973b04
     check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.

973b04
 
973b04
 rationale: |-
973b04
     Disabling a major host protection feature, such as SELinux, at boot time prevents
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
973b04
index b8a2eecee6..8546325752 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
973b04
@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
973b04
 description: |-
973b04
     To enable poisoning of free pages,
973b04
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.
973b04
 
973b04
     To ensure that new kernels and boot entries continue to enable page poisoning,
973b04
-    add 
page_poison=1
to <tt>/etc/kernel/cmdline</tt>.
973b04
+    add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
     Poisoning writes an arbitrary value to freed pages, so any modification or
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
973b04
index 4757871a5f..eaef25ce40 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
973b04
@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
973b04
 description: |-
973b04
     To enable Kernel page-table isolation,
973b04
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.

973b04
 
973b04
     To ensure that new kernels and boot entries continue to enable page-table isolation,
973b04
-    add 
pti=on
to <tt>/etc/kernel/cmdline</tt>.
973b04
+    add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
     Kernel page-table isolation is a kernel feature that mitigates
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
973b04
index 166dd41afd..68e91a92d6 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
973b04
@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
973b04
 description: |-
973b04
     To enable poisoning of SLUB/SLAB objects,
973b04
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.

973b04
 
973b04
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
973b04
-    add 
slub_debug=P
to <tt>/etc/kernel/cmdline</tt>.
973b04
+    add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
     Poisoning writes an arbitrary value to freed objects, so any modification or
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
index 6b95d16fb8..8d39337f9e 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
973b04
 description: |-
973b04
     To disable use of virtual syscalls,
973b04
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
973b04
-    included in its options.
973b04
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain 
image = 
setting,
973b04
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
-    And run 
zipl
command so that <tt>/boot/bootmap</tt> is updated.
973b04
+    included in its options.
973b04
+    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
973b04
+    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
973b04
+    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.

973b04
 
973b04
     To ensure that new kernels and boot entries continue to disable virtual syscalls,
973b04
-    add 
vsyscall=none
to <tt>/etc/kernel/cmdline</tt>.
973b04
+    add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
     Poisoning writes an arbitrary value to freed pages, so any modification or
973b04
973b04
From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
973b04
From: Watson Sato <wsato@redhat.com>
973b04
Date: Wed, 3 Jun 2020 13:08:07 +0200
973b04
Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
973b04
973b04
copy-pasta error
973b04
---
973b04
 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
973b04
 1 file changed, 2 insertions(+), 5 deletions(-)
973b04
973b04
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
index 8d39337f9e..9624b43349 100644
973b04
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
973b04
@@ -16,11 +16,8 @@ description: |-
973b04
     add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
973b04
 
973b04
 rationale: |-
973b04
-    Poisoning writes an arbitrary value to freed pages, so any modification or
973b04
-    reference to that page after being freed or before being initialized will be
973b04
-    detected and prevented.
973b04
-    This prevents many types of use-after-free vulnerabilities at little performance cost.
973b04
-    Also prevents leak of data and detection of corrupted memory.
973b04
+    Virtual Syscalls provide an opportunity of attack for a user who has control
973b04
+    of the return instruction pointer.
973b04
 
973b04
 severity: medium
973b04